[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571609#comment-17571609
]
Madhan Neethiraj commented on RANGER-3839:
------------------------------------------
[[email protected]] - thanks for adding the details. This is helpful.
{quote}I tried with resource matching scope as SELF_OR_DESCENDENTS, It
succeeded but it comes with a lot of challenges.
{quote}
If you are looking to check if the user has permission on any resource within a
given resource, then resource-match-scope should be set as SELF_OR_DESCENDENTS.
What issue do you see with is.
For TEST#1 ({{{}use hr;{}}}), if you are looking to find if the user has _any_
permission on _any_ resource within {{hr}} database, I suggest to replace
accessType with an empty value: {{{}"accessType": ""{}}}. In this case the
resource-match-scope is implicitly taken as SELF_OR_DESCENDENTS.
{quote}Please let me know if this worked in HIVE, what could be the reason.?
{quote}
For {{USE DATABASE, SHOW TABLES, SHOW DATABASES }}commands, Hive authorizer
internally checks if the user has *any* permission on any resource (within the
specified database/table). Hence resource-match-scope SELF_OR_DESCENDENTS is
implicit.
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff0000}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =====================================================================================================
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
